Send Post Web Request to Website which has Repatcha control

Question

I want to post method a website which has recaptcha. I use website for web filter category suggesstion. I want to make an automation and automatically make post request. My code is below.

string fortiwebGetUrl = "https://www.fortiguard.com/faq/wfratingsubmit";
string fortiWebFilterPostUrl = "https://www.fortiguard.com/faq/wfratingsubmit";
using (var wb = new WebClient())
{
    var GetResponse = wb.DownloadString(fortiwebGetUrl); //first, i make GET, I tried to get captcha value, no impact.

    var data = new NameValueCollection();
    data["url"] = "testwebsite.com";
    data["categorysuggestion"] = "category";
    data["name"] = "myname";
    data["email"] = "myemail";
    data["company"] = "mycompany";


    var response = wb.UploadValues(fortiWebFilterPostUrl, "POST", data);
    string responseInString = Encoding.UTF8.GetString(response);
}

Response returns a HTML and shortly it says "Empty captcha". Web site is using recaptcha, but when I use website from browser, i dont have to enter or fill captcha bar, it automaticaly takes capctha value. It is hidden type html code. Sure, the web site puts capctha for security and my purpose is not to cause a security issue, but I want to make post request via my code. How can I handle on it? I accept any Javascript (AJAX etc.) solutions. Thanks.

Answer 1

Indeed if you find a way to bypass Google captcha you should inform Google and get a bounty.

Saying that, the hidden captcha will only display if google suspects you.

I managed to to get a new captcha and send the form outside the browzer doing the following:

1. Capture the cookie

Look for _GRECAPTCHA. Then extract the value you need: E.g.: 09APYnBZUPrCBVN9yqF_oKPvleUsvQ8L-6sU6NxsXA-9x3ZhBcgFDI4cUYB8-ob86cEhbmf7B_g7LCJrZeZtB58JU you need the 6sU6NxsXA-9x3ZhBcgFDI4cUYB8-ob86cEhbmf7B

Now, request a new captcha to google, you have to do a POST request and change the k value with the value you capture from the cookie:

E.g.: /recaptcha/api2/reload?k=6sU6NxsXA-9x3ZhBcgFDI4cUYB8-ob86cEhbmf7B

You also have to pass you "id" or whatever Google calculate, you can capture that doing a "legit" post from the browzer.

E.g.:

POST /recaptcha/api2/reload?k=6sU6NxsXA-9x3ZhBcgFDI4cUYB8-ob86cEhbmf7B HTTP/2
Host: recaptcha.net
Content-Length: 6795
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Sec-Ch-Ua-Platform: "macOS"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-Type: application/x-protobuffer
Accept: */*
Origin: https://recaptcha.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://recaptcha.net/recaptcha/api2/anchor?ar=1&k=6LfH36YkAAAAABsnkZCRrNd99f-6syCEZ5k8Uilk&co=aHR0cHM6Ly93d3cuZm9ydGlndWFyZC5jb206NDQz&hl=en&v=u-xcq3POCWFlCr3x8_IPxgPu&size=invisible&sa=submit&cb=64v45kmduu40
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i


u-xcq3POCWFlCr3x8_IPxgPu¤03AFcWeA7cXnwxptxdq8UYO16GTJf1GnXHjdjewm1AV8wY8d65fSW2kZ18mEUqmHISeH0dX_S2oQUkpZHvJUVd-Io2sVq4UGKVXJAMtWHXF4bNQbXpn69NgYRQ45h7TUrtOFkfrfjzPujaTCcuX7mvX7jVYKbWSJFgnZgQK0d_TK6CJq2OmCuC_T_ibiJIUSnUHN6FA5CO0ODuuJTwy2T4p7zPsfTPliSQ150C6zRpe4gotyUibnzyagTxLA3muhbwzhicfZju5gThJeigorBR950IF14ACOIeVRoiwBRH-tLG3sQy8abibxILnE8ej9Kga26mXgqNhUAzVr9L2QCYGTa1G9qmpgYBnEmwr68T4wMgJDKCzLUsn0Rx5hkSkf5lr6yz-dNuiPbgZFDbNkB_OloYfUvheHsSTiT3NyST-UEe6VPvd_gnp16oVDqA6Laorj5fZ9gx3dZA9dexMLbzjUNuUuy2qqLCPwVF1DLN_s0Sl1h5gFLyBtDQ4Q925SX37Fqj51bC39273n9_UCzib4B2hCgGOLE-V24DqBZByVboCEJQSk0HqvAmO9on_kri0BUf14w8oPks2r2uj5iwEVuv303vKJ-Jlh2glOgIbSPTx0583gSQvqormHQOdg3rlRfnT71VptbFv5vYS8HcoJenY0Jxnl2ivYXThpQPJDnnyNHNg23LLBaqkKBvmLZIgTvvIFdkYky0my3p52cTG6ArtA9bOT3fmJa6_Y49X-fnTturqd7OJcHJiUs23G6lg_IaW_0LNnLM8WaMZ0HU8MyHULnVHOjs7zg4iwzLnkt2tz4SKWUTU_q3-hbQzySv1V0pGxOOlqBO6kNweab1cJlVx-dEilse7aayr23G2J7hnPKsNr07qjLnbHf5PoJKx7vmlO09X-5kxKm4fPW8Gw79KPJND92_e8QgSt4XCbCDe1AhqlUy4tQk61ma-S05jsndeWNZXFd8_dhmEHayBfw23zQVOwGP6PMbQCPpmeq8DX3gCL1CWuf5gQCK2-E060k7xf_WPVcwnO44q3Ip02fU241iq80ReMULTNxAIWeyKJq0Ua0qIaEjb1wVw5nVxstBwec8vP4YlT8tfSBfBFoU8apVbABX-3v-OMfn7wy-tMJ0aJQurtW_0OVLyypWUKTYl3mVlWKiThfPBo5dJR6sw9Ajx1tkH9AYvMJkAebM5wV-zhnr-pgy-sPm8t12PuO5WlOp7ZKQmjRdeTlcWpbnO1iNC33ufckeG7IYXTlhcn2PQaPkSCX0sspBj31AG-GKq2ux8G5nMYD6xMyBZmcoRO2w0tX9Fcw-AWsxO-L6eri2dY_jmfCHsS--yZDJgJZ5mFS_HXPNF-r2bMM38adPprW4De4jBbnqLwHcjGwe3gexv470-SqX9LWmM_cfWI1LNlBmytLm2ZqCXpykku3Xqip4QwOJeiFtG1OiNHMeFv1QiqvxPzNziGNM2PkkzjGLikWJ0a6acaJ9XDfdqNiCJ3p0PZ3N9ur3MxT-ZEd-ziNO911E5FJEsmOCo-o8nx-K4zQuww6IXHky-XBtir0oxT5K6glXYIDj0ZsNsCrC40jOrJ41gulhcxXAoSHYSkiX7RNN_OCPGSr0mtUSNAZH5UXcUdllgxAnElVbjun1bmx7-OmEOnxZpDzu6G4kEU39Soj_rd0psKT_La45xIjqkOrDZ4RoBglAhARu1UmYkxe1n_GjXDxaVibGDtTRO9DfamhBM88q1pvIGJZihANjDBc9gknZscjbgYgXkBMhHyckzW-7HEECxUaQUVPh7Zn5fUtgnXKjLNEWwjWXWBuwS2RRSxtBvQ"!Z2GgYWQKAAQeHsFMbQEHDwGyaShwJfbWMaMeH63-irHb3E1_JGD8eqc6dSLQVmtfRLRqZKQpwmXSArQNU7LuJHlWx2GQTPKpqBExtsYwv50lN5XvO4ODlM6KHLxdNdW7cENcEtPcF6tWqlWXW_n1np_dVlUmoKtib6RBVss0LgmINTGEyDilHf1lUssIzJ5EgB9DQljewkhHgyDF32HGWW5bXpstWWFSHrqWeDjGKxgU3RVj0jospVbwzIBP2msmGXhmY1vFJjnpcEhQCZFplXUYwZFvpG2xBl6H69GlifDlQ5-gaBM9HZo635EFIvnf-88_qYbu6hvVT-BK5I7VuuMKtIkwKDPpoRAXr5D71FYOUtYRYwu3VOt1GyQgMBOUZN1sIT7EEHAvRDMcxJOtS2T-yqISd925AiwnGs4ngR8Ntxv31cvuyRvwx9daCtzcHfjRM9j4lKY1zQyg6eHx8sB6snbWxcRw8AYZnmUkynY34K1PUjN0EFRih2ETUiKmI-zBQPyw6SV8DsS7-P3X5kNd8gYPFrCaLwi6wsdS2QWzZikKe2Ec59IR7AzSCoxpFRP1m8cnRRi3fkrGd1-f9UZvngycAOiDx7fZBPMf-9usT6ClxImRyFlHDc7xyb5s-HXGxHSCjfLDxwQnBrhcvprKabIaibZLd5buezL6hJWfnig1Xe67tILda6UhSSYitomG8LXDomrLwfEMENfkHuP-sZJUT1zJ3w6rIAJnmNRiHI75Vf0_P61SNzds4cHhcjhjXmmvHzZMzNdI0XdSjyjaN9VNSJTzu_22CRKrnPAqzQIo-clZ7DhhDVrHAeb_eustdZ7f4NlEPHa-pm4diAn7i3A5NnCF_fX7I72V1Tmt_UKF93BmR_UUlQRrFsWf5zSvKdNOOjn1gX9wf1WS*
19202241412qBsubmitr(6LfH36YkAAAAABsnkZCRrNd99f-6syCEZ5k8UilkÕ0yfUkR1p2UrDT5gLePF9yjmrI6_4a9gg3gZuNlLrb8lBzhqJ-3P8SLgpoi566lvQXKkYigKO20q4ML0JeOpi7zurGJEdadlKw0-YC3jxfco5qtZjJIQ42SVKpyublHikuRFCOtsPX3DkXSnxqf9q87yhJWl1djZfR6TIYFGtWeI6g_ehKIW56jNbH6hY-TE5zcqnHz-vsEnCTpsKe_B8yTiqIq77athQ3SmZCoMPW8s4sT2J-Wrjb7grmRGd6lnK9oPwVOURWiayP6u8XBTRQepC-7v4NPitSiqevpeAkIFdpXnm7pekbCBJNb4OBvrbtDEpZX3182tMWKjdAaHKq2LK84gUjQ1Zuk7DLD_pFKIShjPAH_B4eJEpti6fB1vsXMHdirZDs_i8qRU55sp7J2RhHT4lQdpm60fICJ0Rio47ZvBgrVSxSc5Styd4DHD9_arWY9AExSkSCfJfC8P8MK198b7GQttn6DixCZoSc484Z_FhplZOIrs_wBiU6XnyT28YR9FBXU6mApsfpBh4yVnSL074J7EhVhrLE2MUVOxdUYI-J0MP65AotSmOGlrrW9jcibVCs3PsX6zBefJ-91MvNC0ZZUW-zrL3vKz0hbWNghqnG4QISNlBws57pzChGMJONla-s0vMTM05egpy-_-o1GHR_or-kyu0MIj5WepO39-ItEGyZk4Cmx-gBIDJVd4vTvgnsSENvXIKlxt7-DjBRaa-a5cgkN0yJZ3CWudruDCJEZIDDrvncODuDb3nJwAwYNxuDd5jH7foYOy8oTm-Qrcnm-ho2VHCCqMfhIw5ZPJi2w-4dEEpqaIHHt_zkNyNFdHGU38QVLU9UQpmYxOfSLSFVS5lyoMP3FTpaNneH0sHWEgwpU3Oi0N4FDkBFL3CrorXV8QYvT4KWvs3w9SxCbzRafZ6y0OYIKUeHctDzBiL-SSyIhZ_w3vcSTmhrd6ba9PUPXyRKa46qw9b7GzV3Yq2Q7P85ACZJaYOhstT0EFM-iWzI0OUtTEqAgMCyyecsM0dubqShyvf3AGA9caqK3eklJBNWUGqJ38DbP0wwhmei1wIOJVAqXJOYm_Hv8EpiU4GYl-TiE0JYQY6yw_W84gghQlZ7k7DJ4_ojPlqbhtG0ED03JEptiavB1vgYMXdiwOP2Eu45HHiJntf06yX8IkNmgJm10-oHKkNWe5az9-ItEGxoqp-t2eIFNktSk8Pm0_NCPUNpgp_b0AQ2WlhPg5nfwQw5SW1jYrK84A3yJmOHnYGo_OHxGCNxWpfMx-keS2Vzd4afs98jP1ZfY7KrxPwRQS9ra4Obtt8aM1YycYSa4eQLGBJvg5q6xM31NU5PWZHBq-nzNCk2cXqgp64DGBU4got2sNPiHBMtOlWspsLb5yw4RIlcgqO-2_kUL0xnhJ622voXV0KNcMzPHBgzYmeHbJK30_MGKEVeepmqyhP-SSyIj6SquN7_Ij5bao-uxQv2QSSAbs2Uut32GzNGa4ek59IwU2aCXqmM6Ov3S2J1fMG1zu_qSkpUWnbWwvDrGx5dkJq0wP0mHmFqa2_TrAMU-jRHY6ypzAjvPUlqkqGqz9_XN0oqf6nG4u7kCDBBZHKbsPL1MghnfXSgtfLfMCVfVImhwM7m-0E7NmuoocPeBxZJSodrxNfn-xQ6UWOFlrvdFhokZ0x6tdTKCTRRcGGRn8_a8ww5V2GjsLWxBRsqL1-ai8fJBwEbPHFug7Gm6RsMXDVlfprL0_wpTEmLn5-80wsbUkRhfrOf4OURKkaKb7bI0ODyP1xWjbmu1eweR12BmYehx8YAFlBWep_G4d_1EEg6cG-5vOH3OjZXU2vB5AIJDiJBY6qe4tEaCy9DVpaBtfcL_ik1ZZ6Rzc8EAxc0OoeFstD6_wBOZ3yJpKng8UMWMpK0z-DR-hY6VV-Amtzt9w9XR0aJrd67-gotX2B2sLm7FQ1KXUGWeZPoFCVGOEuepti8yfUxQj9PotLBC-D_SlBjjcDK1Bj-LFeGmKnc8OsPQGxNe7ux2PsJSC1WopGp3NYJQl1ib720x-YZFzJSX5q4wP0mDxprmbad4Pz3Qkp3kbOt2f3zPjBAXm-evgIJFCtQSYmt4tflCy1fcXa4yc_sA09JeH6WvLIUGUFbTomxju3HITdhV25_xdvlIhQraYt_0L_fFP5MTo2HdJq92fgUJklkq5bhxCAnS2N8rbfa8h4XFDpdfpKwxugIIWdSnYDc2xcCN11SoJO32gA3KWpPs5qzCN4pT1NbY6Lk9PjzFl1wh3-y3tL_JSpqgH3A1dQkAyVxa4q19d4XJl5MZ62ovPcERmNSj5TT0AviHFV5b7G6otP3CCNmiYrA0tDrFg48b6m2s9j270Q3V4OYiK7P8AgqOlx6k9vGEfRQem2nwrP1JDZSNlOLp7q_4EJgMk6At7_i-BpRRjxig6PA1_sTM0pnh5a71fU3Im1QrNjTztwCI0RdfY6wzecvGmVIpKHKDOQxIDeOs8Or-vcSKGlwhpvc5-37UnJMjIK4zv_kCitNaoKWuNPxNyJtUKy52A0vGjdYjnu3wwT_KUdzeKjSy-oHECxvbXPM2f0aLS9UbI6w5wIOEiVETIOktP_I7hEvTWl6m7_YGwZRNJCszbPqCghAXn6QqMgRICBnPGyIydPrJxFOXU-Ys8_c4i9NcpafwcLADg1DZEqJqsMB-xtFU4GMyLLe-DFCTGxymKzc5xxKS1mSh4SqzegCJzZXe5PXwg3wTF2Ysr6jCdD2FzlWboKjxOEjDjJKbYietgHkQEOIqsCd3BYmOT16d8Oa2wjcAiNDYXeOr9DsLxplSIWrztwiJ2RIU6DEu8MPEiczf6evr7DW9xUxU26Gor_c8wovSWmrluHEIBJjiaWP3vLLCk9qd3eJyLDcIgRSWI-akcfbA0ZWSmudobrgDTZPd3SGvZS62_sbNkZnhaTn0h0AXF6YurTH-DULO4t4q7XGBfMgU0OYp7n2AQMkPz5dp8nb4gY6XihOb5GqyNr7FzR7ZrGU0Qz4VXhpfrmf1_4mWFuAe8fD_d_7_CJDZH2ZrtfuMx5pTImv1uQiM0JYn5vIzA8LPC87haWXs7Ta-xw1U2aGz7oF6CVMcZ6FyPfe8kBBfqqnwtDY4AYnSmKBkrL75jFNaUyU0fL59_IwfIewwpzC1AYMY06ZfLn6IDlTa5OneJ6w2_gSIHeTfp62yC8_XWWFcMey_RsGZIeatpLdwP0jSXZck8_qCRgqQD-Imriw4xkLJyhOdJCoxuf8GjtUZoulxQcj¢tbMywxNDg4MCwyNTMwXSxbMSwxMDI1LDE3NDUzXV0sW1syLDE3NiwxNzQzLjMwMDAwMDAxMTkyMV0sWzIsNDA1LDE5MjAuOTAwMDAwMDA1OTYwNV0sWzIsMzA5LDI4MzMuNV0sWzIsMTY2LDMyOTEuMzAwMDAwMDExOTIxXSxbMiwyNTAsNDcyNC41XSxbMiwxMTIsNzk1Mi40MDAwMDAwMDU5NjA1XSxbMiwzMjksODQ1MC41XSxbMiwyNzQsMTI5NzQuNTk5OTk5OTk0MDRdLFsyLDIwMCwxNDA2Ni44MDAwMDAwMTE5MjFdLFsyLDExNCwyOTI0Ml0sWzIsNzAsMjk1OTAuNTk5OTk5OTk0MDRdLFsyLDc1MSw0MDYyNS43MDAwMDAwMTc4OF1dLFtudWxsLG51bGwsbnVsbCxbNSw0Ny4yODAwMDAwMDExOTIwOSwwLjAwNzE1Njc4MzIwMTcyMjA4MiwxMDNdLFswLG51bGwsMF0sMF0sWyJmaWxlc3RvcmUuZm9ydGluZXQuY29tIiwid3d3Lmdvb2dsZXRhZ21hbmFnZXIuY29tIiwicmVjYXB0Y2hhLm5ldCIsInd3dy5nc3RhdGljLmNvbSIsInd3dy5nb29nbGUtYW5hbHl0aWNzLmNvbSJdXQ

Now, from the response "rresp" read the captcha value.

E.g.:

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
Date: Sat, 23 Dec 2023 02:51:08 GMT
Expires: Sat, 23 Dec 2023 02:51:08 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Xss-Protection: 1; mode=block
Server: GSE
Set-Cookie: _GRECAPTCHA=09APYnBZVQFZsSS2_zwW1I5xfkvEmxkiqx4q7dC98nIlrPTiZlrUqx_XC-2_fwUHDkLXAzjxsQPp_0pSft1Df2jIg;Path=/recaptcha;Expires=Thu, 20-Jun-2024 02:51:08 GMT;Secure;HttpOnly;Priority=HIGH;SameSite=none
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

)]}'
["rresp","03AFcWeA4NFUIkl_yZeYTDeIDf0EyMn3dFXfnqSaFHeReYOPVdr6LNw201CoO3ED2UYH1dStpWFpKSSawfzsqRKh8OedN-PbMyaHDbxXW510u1Lsvom7DoqqMKGmPFGqVlcURbTKCUJaVji2zkzFoQ5_neTjysv0aUONQIVYPP3DoDjgMSiGsP77HeBAxhEDRCy8EJR5Uu_E_mH1mUxJQtgm3gPUL3X9_pxvbXtcYkcLe9PBzHZY7ur9Ypf9Ac-sMZVXRZcoIgTRiVdkgb4X75ZJMPCHkRqbeptOQz9PyiBpdR_C8vsmJUKoBxZERHFQRniLK_OWOv-VguLd5fQQQPn_cyy1LDCNxuGx3XX-0QiSf7lY28lGyNr5-S3GiNjpSKhbAbLtq1OrJrUZ7QAEdcg6noti75HT0UFJu_Di851FXSM-18cZcx00aUACuMhw3EP5OwFMIdpDF343-33omz10fc6CcmkPxwB8oBI-zEMI5MmAVBANw3OGm-ZYVX2Y_EdiCalHLHykbBT6OHGvSLSg_Y_ii_XcL0aWBMpOz5g7anzLYeHUMCTBiMlqvxTLOhUM9RrIrT_ME2",null,... 

Finally, add the captcha value to your post resquest:

E.g.:

------WebKitFormBoundaryf3kciwpWsyKSBnht
Content-Disposition: form-data; name="g-recaptcha-response"

03AFcWeA4NFUIkl_yZeYTDeIDf0EyMn3dFXfnqSaFHeReYOPVdr6LNw201CoO3ED2UYH1dStpWFpKSSawfzsqRKh8OedN-PbMyaHDbxXW510u1Lsvom7DoqqMKGmPFGqVlcURbTKCUJaVji2zkzFoQ5_neTjysv0aUONQIVYPP3DoDjgMSiGsP77HeBAxhEDRCy8EJR5Uu_E_mH1mUxJQtgm3gPUL3X9_pxvbXtcYkcLe9PBzHZY7ur9Ypf9Ac-sMZVXRZcoIgTRiVdkgb4X75ZJMPCHkRqbeptOQz9PyiBpdR_C8vsmJUKoBxZERHFQRniLK_OWOv-VguLd5fQQQPn_cyy1LDCNxuGx3XX-0QiSf7lY28lGyNr5-S3GiNjpSKhbAbLtq1OrJrUZ7QAEdcg6noti75HT0UFJu_Di851FXSM-18cZcx00aUACuMhw3EP5OwFMIdpDF343-33omz10fc6CcmkPxwB8oBI-zEMI5MmAVBANw3OGm-ZYVX2Y_EdiCalHLHykbBT6OHGvSLSg_Y_ii_XcL0aWBMpOz5g7anzLYeHUMCTBiMlqvxTLOhUM9RrIrT_ME2
------WebKitFormBoundaryf3kciwpWsyKSBnht--

And happy days, do that until 1. Google decides you're no longer legit or 2. The site owner decides to change the captcha type..